It’s easy to think securing your website is a low priority because it has nothing worth hacking. Even if that’s true — and it probably isn’t — consider a few things. For one, you have a website because you want people to find you online, right? And two, a hacker could be using your domain for any number of reasons, from rerouting spam messages to serving up illegal files.
It’s much easier to take a few preventative steps now to protect your website, rather than trying to figure out what to do after you’ve been hacked — especially if you’re running your own DIY solution. If you’re wondering what you can do to make sure that your business doesn’t become a target for hackers, here are some tips to secure your website.
Securing your website means everything stays updated
With WordPress, to name one platform, updates constantly come out for the plugins and widgets that comprise your site. This isn’t just because developers are adding new features. It’s important to realize the vast majority are patching some sort of security vulnerability that has become common knowledge.
While it may be tempting to neglect updating your website because updates can sometimes break what’s already working, these patches are critical to your site’s security.
If you’re running a site on your own server, patching goes double for the OS and other systems that you depend upon. Many developers use tools to track their software dependencies because it’s easy to miss a patch on something you’re not paying attention to, but actually depend on quite a lot. Using industry resources or tools to notify you when new security vulnerabilities are announced is a good way to make sure that you stay in the loop, even if you only update your website once a month.
Get strict about access
Even if you don’t use the information, you need to spend time looking at who has user access to your site and what the login information looks like. Depending on how you’re securing your website, there might be some default usernames and passwords you need to change. Hackers often use bots to automatically crawl the web trying the most commonly used username and password combinations.
If you have a business network, make sure users aren’t inadvertently propping open the door for an attacker with weak logins or other poor security practices. Change passwords regularly, and never write them down. Set logins to expire after a reasonable amount of time, and make sure to regularly audit who has credentials, especially when people are transitioning in and out of your organization.
It’s also a good idea to hide your admin pages so they don’t get indexed by search engines, which is basically like putting a big “hack me sign” with arrows pointing right to your front door. Take a look at your robots_txt file to make sure you’re securing your website and not rolling out the red carpet for hackers. It’s relatively simple to configure, and there are many tutorials available to help walk you through the steps you need to take.
Use security software
There is a wide range of software available to help you with securing your website and network, depending on what platform you’re using and what level of protection you want to have. The best choices, such as GoDaddy Website Security, powered by Sucuri, are cloud-based subscription services. These are automatically updated, so you don’t need to worry as much about being on top of the latest in web security. It also gives you someone to call for help securing your website, which is huge when you don’t have an IT pro on your payroll.
If you can’t necessarily afford a monthly subscription at this stage in the game, there are also several free tools available that make you a more resilient target against hackers. A plugin that hides your CMS can help you with securing your website from the automated tools that attackers use to scout for targets.
If you’re going with your own solution, the previous advice about keeping everything updated applies double for your security software. Make sure you get on the developer’s mailing list so you always have a head’s up when new updates become available.
Beware of information leakage
A great thing about the web is that you can peek at the source code for anything that you’re looking at. If you like something you come across, it’s usually a pretty simple task to use your browser’s developer tools to find out how it was implemented, or what plugin they’re using to make it work that way, and then steal it for your own site.
You need to be careful about what’s publicly available. It’s common for developers to insert comments to help them understand how different parts of their code work when they come back to it later or make it easier for another programmer to do the same. Unfortunately, a problem arises when parts of the code are flagged as buggy, and those comments go live on your public-facing page. Buggy code is vulnerable code, and you’re making a hacker’s job a whole lot easier when those sections are flagged and documented extensively.
When you publish new code, make sure that you take time to double check that any compromising comments are removed from the public version. It’s a step in securing your website that can often get overlooked.
Adopting a security mindset
Attacks on websites are as diverse as the web itself, so it’s hard to cover every risk you might face in one article.
Boogeymen aside, the important thing is to adopt a security mindset, making sure that you incorporate good habits into your development process.
Most vulnerabilities exist because you don’t know about them, whether that’s a new update for a plugin or old login credentials lying dormant on your network. You might not be a security expert, but taking responsibility and doing what you can will make you more resilient and contribute to securing your website over the long haul.